ISIL Android App, exploration and thoughts...

I saw today the Independent tweeted a message highlighting that ISIL released an Android App, so that followers can follow a little bit harder ... hmm


I couldn't help myself, I had to have a look... hopefully if any Intelligence agencies saw the app being installed from my house they would be smart enough to know that I was probably doing what they where doing (having a good old snoop around) ... hopefully I wont get turned over.

Let's have a look:

I downloaded the app from here and booted up Kali Linux and my One+1 Android phone...

Things we want to do:

  • Unpack / decompile the application
  • Install the Application and search for vulnerabilities
  • Look at the communication between the application and the server that is providing content
  • Ponder

To get the application:

wget https://archive.org/download/NewsApplicationV1.06_201508/NewsApplication%20V1.06.apk

Then unpack the application:
mv NewsApplication%20V1.06.apk NewsApplication%20V1.06.zip

Unzip NewsApplication%20V1.06.zip

Alright, we now can have a mooch around the code ... but not before we converted the classes.dex to classes.jar, so we can understand the java we do this using Dex2jar if you are using Kali, I think it's installed by default if not sudo apt-get install dex2jar will install it on your box (it's in Brew if you're using a mac)

next we need something to view the jar file, all hail JD-Gui this will allow us to take look inside

NOTE: I'm not a full blown Java source-code reviewer, I'm looking for connection strings to servers,API's and external references - if someone want's to have a mooch at the sourcecode ... JD-GUI

like this ..

alright, Debugging enabled, I wouldn't recommend any application or 'thing' allow debugging in production this might be useful later on

It also has startappexchange refrenced in the classes.jar file startapp.andriod.publish > b.class add network configuration this might be interesting data to acquire for intelligence by way of looking at those who have installed the application and from what IP Address they did so from

Drozer:

Drozer, formerly Mercury from MWRLabs is the number one toolkit for android security testing, with a quick command we can see 1 Activity and 2 broadcast receivers and is debuggable, nice. but no quick wins - what I'm looking for is immediately exploitable by way of interacting with the app via a web attack (for a quick turn around).

dz> run app.package.attacksurface com.apps.newsapplication Attack Surface:
1 activities exported 2 broadcast receivers exported 0 content providers exported 0 services exported is debuggable

Okay, no easily exploitable quick wins in here, but we could make use of these security issues at another time.

Other things we learned from looking at the java

The App Publisher has Embedded Ad's

What's this ?

Best efforts for tonight, thanks google translate, I'm sure you did a better job than me!

let's look at the communications

Two domains, one hosting the version release of the app (taqwa.pub) and one providing the content (nashernews.net) nashernews.net is the domain being called,it's a Wordpress website as we can see by the wp-admin folder and some of the other values, unfortunately when the domain was purchased from name.com it was also subscribed to domain privacy ... although I'm sure LEO has the ability to find this information out... us normal internet users cannot.

The site is now in maintenance mode, I can only assume Cloudflare have noticed it's a naughty site, jolly good

whois nashernews.net & taqwa.pub

Domain Name: NASHERNEWS.NET Registry Domain ID: 1946572051DOMAINNET-VRSN
Registrar WHOIS Server: whois.name.com
Registrar URL: http://www.name.com
Updated Date: 2015-07-13T14:29:50-06:00Z
Creation Date: 2015-07-13T12:10:36-06:00Z
Registrar Registration Expiration Date: 2016-07-13T12:10:36-06:00Z
Registrar: Name.com, Inc.
Registrar IANA ID: 625
Reseller:
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Whois Agent
Registrant Organization: Whois Privacy Protection Service, Inc.
Registrant Street: PO Box 639
Registrant City: Kirkland
Registrant State/Province: WA
Registrant Postal Code: 98083
Registrant Country: US
Registrant Phone: +1.4252740657
Registrant Fax: +1.4259744730
Registrant Email: [email protected].com
Registry Admin ID:
Admin Name: Whois Agent
Admin Organization: Whois Privacy Protection Service, Inc.
Admin Street: PO Box 639
Admin City: Kirkland
Admin State/Province: WA
Admin Postal Code: 98083
Admin Country: US
Admin Phone: +1.4252740657
Admin Fax: +1.4259744730
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Whois Agent
Tech Organization: Whois Privacy Protection Service, Inc.
Tech Street: PO Box 639
Tech City: Kirkland
Tech State/Province: WA
Tech Postal Code: 98083
Tech Country: US
Tech Phone: +1.4252740657
Tech Fax: +1.4259744730
Tech Email: [email protected]
Name Server: nina.ns.cloudflare.com Name Server: zeus.ns.cloudflare.com
DNSSEC: Unsigned Delegation
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.17203101849
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2015-08-08T17:15:09-06:00

Uh oh, Cloudflare is protecting a Pro ISIL site, I'm sure they aren't aware of it... We like Cloudflare, I have a BugBounty reward from them, they care about security, I message them to let them know that the domain name is slightly terroristy, and shortly after it's in maintenance mode (I didn't get a response I'm sure they where already on it)

We don't have site functionality now, but I think we have access to cached images ... let's look for EXIF information

BurpSuite Pro

Burpsuite is the number one attack proxy, everyone loves Burpsuite.

I have told my One+1 Android to push all it's web traffic via my proxy (burp) so we can intercept the traffic and inspect it, let's see what we can see !

Okay so we know that the primary domain is in maintenance mode, we can still reach cached information in cloudflare if we know where it is... kinda annoying but maybe the images have some EXIF data in them that might be useful

Yay, Photoshop
Adobe PhotoshopAdobe Photoshop CC8BIM http://ns.adobe.com/xap/1.0/<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmp: CreateDate="2015-05-09T00:09:32+03:00" xmp:MetadataDate="2015-07-21T18:08:52+03:00" xmp:ModifyDate="2015-07-21T18:08:52+03:00" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:bcf346e7-10c3-984b-b3d1-e41ebf4e32a2" xmpMM:DocumentID="adobe:docid:photoshop:4f2eb7bc-2e08-11e5-bd41-ed16b28f84bb" xmpMM:OriginalDocumentID="xmp.did:091a4fd6-7f28-974b-a951-ec23b087fb49" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:091a4fd6-7f28-974b-a951-ec23b087fb49" stEvt:when="2015-05-09T00:09:32+03:00" stEvt:softwareAgent="Adobe Photoshop CC (Windows)"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:b89b72dc-8429-e64f-a82b-dfbdca2cc444" stEvt:when="2015-05-09T00:14:18+03:00" stEvt:softwareAgent="Adobe Photoshop CC (Windows)" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:c8f5d0b0-ccfd-ad4f-80da-5610a2a2c1ae" stEvt:when="2015-07-21T18:08:52+03:00" stEvt:softwareAgent="Adobe Photoshop CC (Windows)" stEvt:changed="/"/> <rdf:li stEvt:action="converted" stEvt:parameters="from application/vnd.adobe.photoshop to image/jpeg"/> <rdf:li stEvt:action="derived" stEvt:parameters="converted from application/vnd.adobe.photoshop to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:bcf346e7-10c3-984b-b3d1-e41ebf4e32a2" stEvt:when="2015-07-21T18:08:52+03:00" stEvt:softwareAgent="Adobe Photoshop CC (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:c8f5d0b0-ccfd-ad4f-80da-5610a2a2c1ae" stRef:documentID="adobe:docid:photoshop:4f2eb7bc-2e08-11e5-bd41-ed16b28f84bb" stRef:originalDocumentID="xmp.did:091a4fd6-7f28-974b-a951-ec23b087fb49"/> <photoshop:TextLayers> <rdf:Bag> <rdf:li photoshop:LayerName="AL BARAKAH" photoshop:LayerText="AL BARAKAH"/> </rdf:Bag> </photoshop:TextLayers> <photoshop:DocumentAncestors> <rdf:Bag> <rdf:li>xmp.did:091a4fd6-7f28-974b-a951-ec23b087fb49</rdf:li> </rdf:Bag> </photoshop:DocumentAncestors> </rdf:Description> </rdf:RDF> </x:xmpmeta>

If you want those files yourself I'm happy to share them (you will need burpsuite pro to restore) or extract the data from the burp file by your own means)

We will take a longer look at the other data to see if it's valuable too

Pondering:

We know that they understand what's involved in identifying domain owners and they know what to do ... to a reasonable degree to protect identities (at least from the public) .
we know that they aren't using any specialist tools to deliver content, they have used an app builder, they have used wordpress they used cloudlfare and they use whois privacy... reasonably informed altho I wouldnt recommend they existed on the 'public internet' but i guess that risk is worth getting more followers to them...

I wish I had more to give but this has been cut short by way of the site no longer being availalbe

But here are the things we can learn when apps like this appear:

  • How did we learn about the app? how can we keep learning about new comms/ data / stuff
  • Perform security and forensic analysis of the application
    • Exif data tells us that someone is using Adobe CC on a windows OS (does adobe have a way of identifying accounts by unique metadata ?)
  • Identify domain names from content providers
  • Identify hosting providers and let them know
    • If you notice any exploitable vulnerabilities be sure to share them with your local intelligence agency
  • Identify all 3rd party's that are associated and let them know that they should be on their toes (or at least reactive if not active to these things - if they actually see them as an abuse)
  • Extract residual data from files shared (images/documents etc)
  • Inform the right people - also so you don't end up on a watch list for hitting those domains ;)

I don't know if this post is useful but it was fun, It could have been more fun... maybe next time

If you are interested in replicating my steps or want to have a crack at it yourself get intouch i'll help you with tooling, configuration and considerations

That's all for now